Even so, it is "difficult to make the business case" for cybersecurity investments because the probability of a devastating attack is so low. One problem: Regulations that mandate action often end up as a mere checklist for utilities – without actually improving security, because cyberthreats keep evolving.

In May, the White House offered its plan to put the grid in DHS hands. In July, a Senate bill proposed putting oversight authority with FERC and DOE. Action could come in the Senate as soon as January.

None of these portend a single body with national regulatory oversight of cybersecurity standards – and not just for bulk power that is transmitted long distances over high-voltage lines, but also for local distribution systems, the MIT report notes.

"The federal government should designate a single agency to have responsibility for working with industry and to have appropriate regulatory authority to enhance cybersecurity preparedness, response, and recovery across the electric power sector, including bulk power and distribution systems," the study recommended.